6:49 p.m.
Signed-off-by: Laine Stump <laine(a)redhat.com>
---
I had thought I'd included documentation with the patch that added
parsing/formatting for this, but after crobinso noticed it was
missing, I realized that I had only put documentation in an earlier
version of the patches (that put the option inside
<virtualport>). Oops :-/
docs/formatdomain.html.in | 31 +++++++++++++++++++++++++++++++
docs/formatnetwork.html.in | 25 +++++++++++++++++++++++++
docs/formatnetworkport.html.in | 11 +++++++++++
3 files changed, 67 insertions(+)
diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in
index 4fef2a0a97..28770188dd 100644
--- a/docs/formatdomain.html.in
+++ b/docs/formatdomain.html.in
@@ -6539,6 +6539,37 @@ qemu-kvm -net nic,model=? /dev/null
traffic for that VLAN will be tagged.
</p>
+ <h5><a id="elementPort">Isolating guests's network traffic
from each other</a></h5>
+
+<pre>
+...
+<devices>
+ <interface type='network'>
+ <source network='default'/>
+ <b><port isolated='yes'/></b>
+ </interface>
+</devices>
+...</pre>
+
+ <p>
+ <span class="since">Since 6.1.0.</span> The
<code>port</code>
+ element property <code>isolated</code>, when set
+ to <code>yes</code> (default setting is <code>no</code>) is
used
+ to isolate this interface's network traffic from that of other
+ guest interfaces connected to the same network that also
+ have <code><port isolated='yes'/></code>. This
setting is
+ only supported for emulated interface devices that use a
+ standard tap device to connect to the network via a Linux host
+ bridge. This property can be inherited from a libvirt network,
+ so if all guests that will be connected to the network should be
+ isolated, it is better to put the setting in the network
+ configuration. (NB: this only prevents guests that
+ have <code>isolated='yes'</code> from communicating with each
+ other; if there is a guest on the same bridge that doesn't
+ have <code>isolated='yes'</code>, even the isolated guests
will
+ be able to communicate with it.)
+ </p>
+
<h5><a id="elementLink">Modifying virtual link
state</a></h5>
<pre>
...
diff --git a/docs/formatnetwork.html.in b/docs/formatnetwork.html.in
index 3d807ecab6..f1e7ce5e4e 100644
--- a/docs/formatnetwork.html.in
+++ b/docs/formatnetwork.html.in
@@ -729,6 +729,31 @@
or <code><interface></code>.
</p>
+ <h5><a id="elementPort">Isolating ports from one
another</a></h5>
+
+<pre>
+<network>
+ <name>isolated-ports</name>
+ <forward mode='bridge'/>
+ <bridge name='br0'/>
+ <port isolated='yes'/>
+</network>
+</pre>
+
+ <p>
+ <span class="since">Since 6.1.0.</span> The
<code>port</code>
+ element property <code>isolated</code>, when set
+ to <code>yes</code> (default setting is <code>no</code>) is
used
+ to isolate the network traffic of each guest on the network from
+ all other guests connected to the network; it does not have an
+ effect on communication between the guests and the host, or
+ between the guests and destinations beyond this network. This
+ setting is only supported for networks that use a Linux host
+ bridge to connect guest interfaces via a standard tap device
+ (i.e. those with a forward mode of nat, route, open, bridge, or
+ no forward mode).
+ </p>
+
<h5><a id="elementsPortgroup">Portgroups</a></h5>
<pre>
diff --git a/docs/formatnetworkport.html.in b/docs/formatnetworkport.html.in
index 0425e069ce..199a05f929 100644
--- a/docs/formatnetworkport.html.in
+++ b/docs/formatnetworkport.html.in
@@ -84,6 +84,7 @@
<outbound average='128' peak='256'
burst='256'/>
</bandwidth>
<rxfilters trustGuest='yes'/>
+ <port isolated='yes'/>
<virtualport type='802.1Qbg'>
<parameters managerid='11' typeid='1193047'
typeidversion='2'/>
</virtualport>
@@ -110,6 +111,16 @@
only supported for the virtio device model and for macvtap
connections on the host.
</dd>
+ <dt><code>port</code></dt>
+ <dd> <span class="since">Since 6.1.0.</span>
+ The <code>port</code> element property
+ <code>isolated</code>, when set to <code>yes</code>
(default
+ setting is <code>no</code>) is used to isolate this port's
+ network traffic from other ports on the same network that also
+ have <code><port isolated='yes'/></code>. This
setting
+ is only supported for emulated network devices connected to a
+ Linux host bridge via a standard tap device.
+ </dd>
<dt><code>virtualport</code></dt>
<dd>The <code>virtualport</code> element describes metadata that
needs to be provided to the underlying network subsystem. It
--
2.24.1